Lesson Learned from building the Azure Let's Encrypt  Site Extension


Global Azure Bootcamp 2019 - Copenhagen

Simon J.K. Pedersen

@simped / mail@sjkp.dk

Quick Intro

  • Azure Web Apps
  • Site Extensions
  • SSL Certificates
  • Let's Encrypt

How many uses Azure Web Apps - with a custom domain?

are you paying for your SSL certificate?

Why did I build it

personal challenge/learning oppotunity

Learnings

  • Azure Web Apps behind the scenes
  • Moving on from the site-extension approach (Functions and ACI)
  • Using Key Vault and ARM templates

Azure Web Apps

  • So many application frameworks are used
  • Some people have massive deployments
  • Web Jobs in site-extensions.....
  • Server farms/app service plans and their location
  • Not all scale units are created equal
  • Deploy from ZIP/read-only disk
  • KUDU API
  • Traffic manager

Moving on

  • Avoid support when people mess up the web job
  • Avoid support when working with Service Principals
  • Support other azure services
    • Azure CDN
    • Azure API Management
    • Azure Functions
  • Better security (KeyVault)Az

Attempt #1

  • Make an API
  • Host the API in the site-extension
  • Let people call the API from Azure Functions/Logic Apps
  • More trouble for the user
  • Why even use site-extension

Attempt #2

  • make a nuget 
  • let people do it themselves
  • and some did ...

Attempt #3

  • Wait for Microsoft to do it...

Attempt #4

  • Found certes (https://github.com/fszlin/certes)
  • Rewrite to .net core (so we can use Azure Function v2 and docker)
  • Support wildcard
  • Realize a lot of DNS providers are VERY slow at propagating DNS changes
  • Use Managed Service Identity 
  • Use KeyVault 

Demo Time

Architecture

KeyVault and ARM Templates

  • Existing Resources (different resource groups)
    • Azure DNS
    • Azure Web App
  • What we want to deploy
    • KeyVault
    • Azure Function (Storage Account & App Service Plan)
      • Managed Service Identity
      • App Settings
    • Application Insights
    • Role Assignments to Managed Service Identity

Managed Service Identity

Key Vault Access to MSI

Save secrets in Vault 

Reference Secrets

Role Assignments 

Link

Lesson Learned from Build Let's Encrypt Azure Site Extension

By Simon J.K. Pedersen

Lesson Learned from Build Let's Encrypt Azure Site Extension

  • 973